DSGVO / revDGS (CH) / GDPR when embeding Babylon JS Player on Website

Hey there! This is probably waaay off topic. But only experts can potentially answer my question. As a regular web developer friend would go “babylonjs, ain’t that something ya eat?”…

Here in Switzerland we are confronted with our new data protection law. Specifically it defines that anything, which is communicating with external URLs, has to be included in the cookie settings, so the website visitor can deny consent to see the content.

Now, the WordPress plugin of my choice, real cookie banner, is reporting the Embedding of the Babylonjs player from https://cdn.babylonjs.com/viewer/babylon.viewer.js

Should I download the player locally, and change the embedding? Or should I create a content blocker and what would I say get’s shared with the target URL?

I assume no data is being shared. The only thng that happens is the script get’s loaded and the player goes “brrr brrr”. Or is the IP stored on CDN?

Edit: forgot URL https://www.blog.fullframestudios.ch/

@mawa you’re based on Switzerland, right? Any thoughts? :thinking:

1 Like

Update: I manually created a content blocker for Babylon JS content. I am probably going over board here. Because loading the script is not setting a cookie, nor sending any user data to CDN (that’s those guys, right?). I could not find anywhere what kind of data they process if scripts are served via their service… I guess the IP of the website visitor is in some log files of CDN servers and also of my provider.

So yeah, I mainly did this exercise to figure out how to setup content blockers manually: 3D Web – Alex Furer

I am aware that the buttons are red text on red ground…

Any take from someone that knows what data is processed by embedding BabylonJS content, and if that is presenting a problem for the various privacy laws would be greatly appreciated!

EDIT: You have to press the second button “Weiter ohne Einwilligung” to deny consent an to be able to see the content blocker.

I’m not sure I fully understand the issue here. I haven’t used a WP plugin for BJS so far.
Obviously, as far as I know, BJS has no UX (marketing-orientated UX) so I believe it doesn’t process any data/personal information, correct?
As for the new swiss law, it has been coming late (in my opinion) and still isn’t level with RGPD in Europe, or even Brazil, Canada or Japan. So, it’s really not that restrictive.

I’m not sure what you are building but I would say ‘yes’. Don’t over do it. There’s always a fear when new laws are introduced. At the time of the new canadian law and the RGPD in France I was working for a client on a lead capture app. Everyone was pushing and making hypothesis on what we should do (and should do immediately). In the end, we only had to make little changes and improvements in the app itself. Likely, the biggest part to conform with the law is on the side of management and monitoring (from my experience).


In fact, in production mode, I would advise you download the version you use and serve it yourself. Nothing to do with privacy but it’s the best way to make sure there will not be any breaking changes without you being aware. Personal opinion, of course but I suppose is a good practice. Although there are very little breaking changes in BJS and very rare server interruptions. Your choice. Meanwhile, have a great day :sunglasses:


Actually, the player is served via CDN. And CDN is collecting a ton of data. And under DSGVO (EU), it’s definitely an issue. I mean it’s an issue on the entire internet. Because nothing happens, until your user data get’s hacked…

It’s easy enough to create a blocker by creating it manually with the Real Cookie Banner as mentioned above. Which I did.

But I might as well copy the player js locally and embed it so there’s no need for consent. And it’s future proof, as newer versions of the player will probably brake my scene someday :slight_smile:

Here’s the message I got from the guys that create the Real Cookie Banner Plugin, which flagged the embedding of the BJS player from CDN (unfortunately in German and by no means legal advice, medical advice nor election fortification advice)

cdn.babylonjs.com: cdn.babylonjs.com isttypischerweise ein sogenanntes CDN (Content Delivery Network). Dieses speichert Dateien auf einer Vielzahl an Servern weltweit, um diese an den Website-Besucher vom geografisch nächstgelegenen Server so schnell wie möglich ausliefern zu können. Dabei befinden fast immer nicht alle Server in der EU oder im Sinne des EU-Datenschutzrechts in sicheren Drittländern. Die Übertragung der IP-Adresse des Website-Besuchers als personenbezogenes Datum an die Server des CDNs und insbesondere die potenzielle Übertragung in unsichere Drittländer kann in aller Regel nur nach der Einwilligung deiner Website-Besucher erfolgen. Dabei ist ein CDN in aller Regel nicht als technisch essenzieller Bestandteil des Webhostings zusehen, sodass auch ein berechtigtes Interesse nicht in Frage kommt. Vergleich dazu unter anderem Beschluss desVG Wiesbaden vom 01.12.2021, Az. 6 L 738/21.WI, Urteil des OLG Köln vom 09.10.2020, Az. 6 U 32/20 oder Urteil des LG München I vom 20.01.2022, Az. 3 O 17493/20. Für dich als Website-Betreiber bedeutet das, dass wir die Rechtsauffassung vertreten, dass der CDN erst nach einer Einwilligung eingesetzt werden dürfen. Jedoch wird ein Ablehnen des CDNs dazu führen, dass Teile deiner Website nicht funktioniert werden, da notwendige Scripts nicht mehr geladen werden können. Falls du den CDN bewusst einsetzt, solltest du daher darauf verzichten. Falls der CDN überraschend auf deiner Website eingesetzt wird, dann vermutlich,da dein Theme oder eines deiner WordPress-Plugins diesen nutzt. Deren Scripts müsstest du lokal hosten, was nur bei wenigen Themes oder Plugins als Option angeboten wird. Stand heute ist uns keine praktische Lösung für dieses Problem bekannt, außer den Hersteller des Themes/Plugins um ein lokales Hosting zu bitten. Folglich gibt es für den von dir verwendeten CDN keine Service-Vorlage.

Yes, of course. The point that can eventually become an issue would be

To be honest I did not read the new law in details yet. But I (strongly) doubt that it would be more restrictive than RGPD in this aspect. I’m no lawyer but as I said, I’ve been working for a worldwide group in this aspect for many years. There’s a difference to be made between delivering content and collecting information. Else, to be honest, there would be no cloud anymore :grinning:
I suppose most important to understand here is what kind of information they can collect from a BJS scene.

I’m sure @Deltakosh would happily answer this question as he said that “Marketing-UX in BJS would only happen on his dead body:grinning:… to which I added that I would put myself in front of him as a shield :shield:, so he wouldn’t be the first to die :skull_and_crossbones:

1 Like

I appreciate:)

On our side we are collecting nothing:)

But if you want to be safer you can always store the lib on your server (even if I do not see a real difference:))


I am providing website services here in Switzerland and I have, so far, completely ignored everything. Now some of my folks contacted me and asked questions about it. As always, with any legislation (which it is for now), it will completely depend on how the judges deal with it. That’s when legislation becomes law. Here we had 1 year grace period to implement the revDSG. Will they remind website owners and give them time to alter their websites, or will they say that one year was enough to implement it.

I just am precautious about governmental things lately, as the “mental” part seems to have become a regular thing in politics. pun intended…

The thing is that CDN stores the IP of who’s requesting the script. And it seems, according to their privacy policy, that they also collect other things.

So yeah, self hosting is the way to go here. Also considering the technical aspects.

Thanks to both of you for chiming in!

1 Like

Is it your app/service or are you providing services to clients? When you say ‘your folks’, is it your employees or your clients? I’m afraid if you want to dig deeper into this type of regulation you’re going to need advise from a lawyer. And not just any lawyer. Else, if you are working for a client, in the end it’s his problem to conform and your job would be to just follow the rules. Nodody (incl. the swiss gov) can ask web developpers to become specialists in this domain. It isn’t part of the job.

I suppose it all depends on who you are and what you do. If you are a mini salesforce, there’s a chance they will think that you are trying to push the limit to your benefit. If you simply provide common webservices, there’s a fair chance they would just give you some sort of ultimatum to fix it. Providing of course, that they will spot and target you first.

I am designing, creating and maintaining websites for clients. So I am partially responsible for what’s on the page. At the end of the day, it is my clients responsibility what they have on their website, but it’s partially my responsibility to point out to them, that there’s a demand for a very specific privacy policy declaration that has to be placed on every website. Plus the ability for the visitors to disable certain content, or agree to see all the content and accept cookies and tracking.

Therein is the mere storing of the visitors IP in the hosts server log. Which happens every time someone accesses a website. And also happens when the content is loading a script from CDN.

In this case the law is not unclear. It’s very specific and easy to understand. The user has to have the ability to decline being tracked and define what information is stored on their computer.

1 Like

Well, you can make this ez on yourself going the route of hosting the lib (both for privacy and technical reasons, as I do in case of production and ‘sensitive’ projects). I suppose this closes the issue and this way you can be reassured (which I believe is also important in our business and for our own health and wellbeing :sweat_smile:).
But as for the tracking of the IP, you are doing wordpress and the user also needs a browser. So, let’s face it, the IP is tracked, no matter what. All the question is how this IP is eventually linked to a stored profile of the user that may contain personal information. Up to a certain point, today, you simply cannot browse the web without having the GAFAM(s) storing a certain level of information (with none or little control from our govs - not to speak about the users). I mean, really, who would read the 30 pages of privacy policy (and understand them fully) before accessing a site or a service? We still have a long way to go to make the Internet a safer and more empathetic place :innocent:

Makes me happy that you are concerned with my happiness and well being.

I am making this easy on myself. I brought it up because you are 100% correct, every move on the internet is monitored and one becomes transparent as soon as connected to the internet.

That’s why storing the IP on server logs is subject to consent under DSGVO and revDSG. Period!

The internet was never meant to be empathetic. It used to be the real anarchist place and self responsibility and awareness formed the moral compass of people. Nowadays it’s guided, monitored and censored.

But yeah, the issue has been resolved for about 5 posts.

Thanks again!

1 Like

I would actually disagree here (a little :wink:) and also remember everyone that the people (Our people from the CERN in switzerland) are the creators of the web.

As per Tim Berners (head of project) said:

"The original idea of the web was that it should be a collaborative space where you can communicate through sharing information.”

34 years later, his opinion (and mine, btw, for what it matters :grin:) is that:

"… tech platforms control the world and manipulate people by providing information ”.

I know the creator’s team (now all old people) mainly disagree with what the Internet has become. And so do I.

I am 54 years old. I am doing stuff on the internet for 30 years now and I think the internet is great. It’s just that people fall for big tech. So the internet is not the problem :slight_smile:

But off course, they crack down on “false information”, which is acronym for “information we don’t like”, and DSGVO, and all that crap, is just another step to silence small and independent voices. Because, as you mentioned, one needs to be a lawyer to install a website, not a technician anymore…

But, I am not vaccinated against covid, never wore a mask and never obeyed lockdowns, so yeah, the information is out there… One just has to question authority…

Which does not mean that I am not cautious if I am doing stuff on the internet for my clients…